Google faces US, German probes over WiFi data collection

Google had better be getting ready for a good probing from authorities in both …

Authorities in both Germany and the US are expected to begin inquiries into Google's "accidental" collection of WiFi payload data by its Street View cars. German commissioner for data protection Peter Schaar has asked for a detailed probe of the incident while consumer group Consumer Watchdog has demanded that the US Federal Trade Commission look into Google's activities on this side of the pond.

The furor erupted after Google admitted on Friday that its Street View cars had been collecting more data than the company realized. The cars are supposed to only take photos of the street and collect basic WiFi information, such as the SSIDs and MAC addresses of WiFi routers. The WiFi data was to be used in Google's location-based services, and Google argued last month that it only collected the same data that was publicly available to anyone walking down the street with a WiFi device. Google insisted that it did not collect any kind of IP or packet data in the course of its WiFi collections.

That turned out to be mostly untrue. The company announced last week that it discovered a "mistake" in the code being used to collect info and that it was, in fact, collecting some information on who was visiting what websites on which WiFi networks. Google said that the data was never used in any capacity and that it had no plans to keep the unwanted data around. The company said it was looking to destroy the data immediately with the help of an independent review (an update to Google's blog post from Friday indicates that data collected in Ireland has already been deleted). The company also said that it would stop collecting any information about WiFi networks in light of this discovery.

Schaar doesn't appear to believe Google, characterizing its explanation as "highly unusual": "One of the largest companies in the world, the market leader on the internet, simply disobeyed normal rules in the development and usage of software," he told the Financial Times.

Similarly, Consumer Watchdog described Google's actions as a "flagrant intrusion into consumers' privacy" and noted that it only came to light because Google was being questioned by European regulators. The group called on the FTC to document what Google had gathered and what has been done with the data.

"Google has demonstrated a history of pushing the envelope and then apologizing when its overreach is discovered," consumer advocate John Simpson said in a statement. "Given its recent record of privacy abuses, there is absolutely no reason to trust anything the Internet giant claims about its data collection policies."

Simpson has a point; Google does have a tendency to go a little too far with users' privacy when it pushes out new services, as it did recently with the Buzz launch. However, if we take Google's explanation at face value, the Street View WiFi debacle was little more than a huge and outrageously careless oversight—not an intentional privacy-harming feature rollout like Buzz. Google has really done a number on itself this time, and regulators may look askance at its voluntary admission given the company's history.

Update: German authorities have demanded that Google hand over the hard drives it used to store the data so that they can see exactly what's on them, according to the New York Times. Google has offered to destroy the data but not hand it over (yet, anyway), and Germany is not happy with that solution.

Isn't 600gb of information (admittedly only by their own accounts) a tiny amount of information to have collected considering the number of street view cars they've sent around the world? If it were intentional wouldn't the amount of data collected be orders of magnitude greater?

My friend invited me to Skoost.com, that apparently is "the new social networkingsite", he isn't sure he intentionally invited me.

OK whatever, I checked it out, and Skoost.com (who are they?) said they'd use gmail to find my friends.

Uh ok...

So Skoost says, you have 377 friends, click next to invite them to Skoost. Then there was a list of my 377 friends, all opt-out selected.

The first dude I actually knew, the next 6 was abuse@randomcompany. So Google just gave Skoost a list of everyone I ever emailed, and Skoost would invite all 377 pretending that /I/ had selected them personally?

I closed the window, but Skoost still send me an email to my gmail account welcomming me to Skoost, they better not have invited everyone I ever send an email to, or I'll sue them to hell and back (pun intended, but only works if you're Danish).

Part of email from Skoost to me:

"Welcome to Skoost! You're now part of a growing community of over 15 million people.

Skoost enables you to connect with friends old and new, flirt with secret admirers (if you choose) and share gifts, winks and more..."

WTF. I closed the window, no, abuse@randomcompany or webmaster@websiteIhate are not my secret admirers, and why are Google giving you all theese adresses?

I see individuals doing this all the time in public -- walking around with devices that can see who is visiting what websites on other people's WiFi and storing it to large centralized databases to use in their billion dollar advertising empires. lol!

I wondered yesterday, casually, what the Gorg would have to do if the Gorg decided it WANTED to regain public trust in its privacy protection intentions. Now that its schmurped its reputation so badly both here and abroad.

So you are saying google intentionaly tried to hurt everyones privacy with it?

You're misreading it, it was an intentional feature (to basically share your info with everyone), but it was one that opened privacy issues.

One, as I have said before, that happened during the student protests in Iran.

Ignorant students who thought that if they used internet cafés and gmail, Google wouldn't give them a list of all their associates.

"Whoops, our bad", just doesn't cover it, and isn't really the same as Skoost sending an email to the webmaster of Ars because I once whined about something, in a form where Skoost pretends that I intentionally want to exchange gifts, flirt and really consider him a friend, it'll just irritate him, but at least I wont go to jail in Iran over it.

(Again, Google just gave the email adress of everyone I emailed to, to a company called Skoost.)

*sigh* Here we go again. Google really needs to learn to keep its mouth shut because the world just isn't prepared to deal with a company as forthcoming as they are. Yeah, idjits - they re-used some code from another project, not realizing it was storing some additional data - easy to do with OO programming languages.

As I stated in the previous article on this, can all you pitchfork-wielding mob-types please tell me just what google could possibly accomplish with randomly collected data from a single moment in time (the time their cam-car was passing your wifi)? There's no extended data to put what they recorded into context, so it's pretty much meaningless. Never mind that if they can do it, so can ANYBODY ELSE - much more likely someone with far more sinister intent than the big G has.

My friend invited me to Skoost.com, that apparently is "the new social networkingsite", he isn't sure he intentionally invited me.

OK whatever, I checked it out, and Skoost.com (who are they?) said they'd use gmail to find my friends.

Uh ok...

So Skoost says, you have 377 friends, click next to invite them to Skoost. Then there was a list of my 377 friends, all opt-out selected.

The first dude I actually knew, the next 6 was abuse@randomcompany. So Google just gave Skoost a list of everyone I ever emailed, and Skoost would invite all 377 pretending that /I/ had selected them personally?

I closed the window, but Skoost still send me an email to my gmail account welcomming me to Skoost, they better not have invited everyone I ever send an email to, or I'll sue them to hell and back (pun intended, but only works if you're Danish).

Part of email from Skoost to me:

"Welcome to Skoost! You're now part of a growing community of over 15 million people.

Skoost enables you to connect with friends old and new, flirt with secret admirers (if you choose) and share gifts, winks and more..."

WTF. I closed the window, no, abuse@randomcompany or webmaster@websiteIhate are not my secret admirers, and why are Google giving you all theese adresses?

Thanks for protecting my privacy Google.

As I'm sure you figured out, all that stuff comes from your Gmail address book. If you have not given them your Gmail password, they should not be able to access your information. However, if you did some kind of OAuth (i.e. skoost.com redirected you to gmail, and you said "yes, please allow skoost.com access to my info), it might not require your Gmail password. Once you have done either of the OAuth or give them your password, it's a simple API call to pull your contact list out of Google. Many services already do this, including Facebook, LinkedIn and others.

In any case, it seems difficult for skoost.com to be able to access your address book without your Gmail/googletalk password. Perhaps somewhere along the way you gave it to them? If not, I smell a privacy breach!

And as far as them sharing your data, welcome to the Wild West Web. Companies are in a full bore race to beat each other to all the new ideas (or in the case of Google's Buzz fuck-up, trying to get back in the race currently dominated by others) - the code for new ideas and programs needs to go live YESTERDAY in this cutthroat business. There's no time for making sure everything is perfect or you fall to the wayside as another company takes your idea and runs with it. Why do you think so many web companies have come and gone (many in the matter of only months). This shit is gonna keep happening until all virtually the new ideas have been exhausted and the only thing that remains are minor tweaks. That ain't gonna happen for a while, so if you're that afraid then stay off the net until the dust settles and it becomes as boring as can be.

As I stated in the previous article on this, can all you pitchfork-wielding mob-types please tell me just what google could possibly accomplish with randomly collected data from a single moment in time (the time their cam-car was passing your wifi)? There's no extended data to put what they recorded into context, so it's pretty much meaningless. Never mind that if they can do it, so can ANYBODY ELSE - much more likely someone with far more sinister intent than the big G has.

Gawd, you people need to get a grip!

"You people" being authorities in two countries?

It doesn't really matter that it was "worthless" data, it was still illegally taken. And on top of the series of Google "slip-ups" in the past.

Are we supposed to believe that Google's engineers and programmers, some of the smartest in the world, make so many basic mistakes on projects that have worldwide deployment?

*sigh* Here we go again. Google really needs to learn to keep its mouth shut because the world just isn't prepared to deal with a company as forthcoming as they are. Yeah, idjits - they re-used some code from another project, not realizing it was storing some additional data - easy to do with OO programming languages.

As I stated in the previous article on this, can all you pitchfork-wielding mob-types please tell me just what google could possibly accomplish with randomly collected data from a single moment in time (the time their cam-car was passing your wifi)? There's no extended data to put what they recorded into context, so it's pretty much meaningless. Never mind that if they can do it, so can ANYBODY ELSE - much more likely someone with far more sinister intent than the big G has.

Gawd, you people need to get a grip!

Well, you are right. People are used to companies with at least minimal standards of ethics, and competence in program design, implementation, and testing.

Had Google used their ethical, design, implementation, OR testing skills, these problems wouldn't arise (repeatedly).

This is silly. If you're sitting around with an open wifi in your house, I think Google is the least of your problems. If you're broadcasting your data all over the neighborhood, you're making it public yourself; it's not the fault of the person listening.

This is silly. If you're sitting around with an open wifi in your house, I think Google is the least of your problems. If you're broadcasting your data all over the neighborhood, you're making it public yourself; it's not the fault of the person listening.

Of course does running an unsecured access point make you an idiot. But being an idiot is not illegal so long as you don't break any local laws (though, by deity, it should be). Accessing someone else's network (secured or not) without authorization and/or grabbing data packets from such networks (intentionally or not) however, is illegal in quite a few places.

It's not about what is or isn't silly – it's about what's legal and what isn't.

This is silly. If you're sitting around with an open wifi in your house, I think Google is the least of your problems. If you're broadcasting your data all over the neighborhood, you're making it public yourself; it's not the fault of the person listening.

Of course does running an unsecured access point make you an idiot. But being an idiot is not illegal so long as you don't break any local laws (though, by deity, it should be). Accessing someone else's network (secured or not) without authorization and/or grabbing data packets from such networks (intentionally or not) however, is illegal in quite a few places.

It's not about what is or isn't silly – it's about what's legal and what isn't.

And it's one thing for a single person to walk by your home (with just their smartphone nowadays!) and see your network is open. Even to swipe some access for a bit. Still wrong, but pretty. (If hordes of people are doing it for profit, hired by a nefarious company, that is an entirely different matter.) Now, take a gigantic corporation like Google doing this on a multi-continental scale and you're talking a whole new level of badness.

Personally, I'm surprised it's even legal for them to drive around collecting WiFi info like SSIDs and MACs and in the first place, whatever their claim to its use. Though nowadays I probably shouldn't be.

Google's "Do no evil" mantra not only has fallen to the wayside, it's so far behind they have forgotten it ever existed. [Edit: Darn it, someone beat me to it while I was writing this! LOL]

That was for those who might have read my prior comment - a simple acknowledgement that might spare someone the effort of checking whether it was me who said it last time they read it. A common courtesy, but apparently you fail to recognize that when you're too wound up and carrying your pitchfork...

effgee wrote:

In some countries, Germany being one of them, it is illegal to:

Access someone else's network without authorization (regardless of whether or not it's been secured)

Before you reply to this with nonsense about conspiracy theorists, tinfoil hats, and generally mad people attacking your poor misunderstood Google – re-read the text in parenthesis above.

It's illegal, plain and simple. Whether or not you agree with these laws is irrelevant.

True on that last point, but give credit where credit is due - once they realized the mistake (and this HAD to be a mistake as it doesn't make sense for it to be on purpose) they fessed up without trying to cover it up (unlike many other large companies routinely do). Again, this is nothing unique to Google - anyone could have done it and nobody would be the wiser. At worst, maybe they DID become aware of it after the fact and decided to keep it to play with for future ideas they may have had, but as of yet I haven't seen ANYONE propose what use the random data could be put to (nefarious or otherwise). Again, this is nothing unique to Google - anyone could have done it and nobody would be the wiser.

effgee wrote:

Then there's of course the question of corporate ethics, but I'll leave that up to others this time around. Don't feel like wasting my time on hopeless folk today.

You're only kidding yourself if you think any LARGE corporation is truly worried about being ethical - at best it's a balance between PR image and money, with money usually taking priority. Google's certainly got its faults, but taken as a whole it's far better than virtually all the alternatives of similar size.

It doesn't really matter that it was "worthless" data, it was still illegally taken. And on top of the series of Google "slip-ups" in the past.

Agreed - Google HAS been screwing up a helluva a lot lately. I think they are used to being on top and the exponential growth of Facebook, along with several other nips at their feet has made them nervous about losing that spot. The more you fear something, the more likely you are to make it happen and Google's certainly heading down that path...

coldandtired wrote:

Are we supposed to believe that Google's engineers and programmers, some of the smartest in the world, make so many basic mistakes on projects that have worldwide deployment?

I'm sure some of their staff fits that bill, but - like any other company with a large number of specialists in any particular field - they've got their slackers, too, I'll wager. You're only as good as your weakest link, and maybe Google's got some house-cleaning to do.

... but give credit where credit is due - once they realized the mistake (and this HAD to be a mistake as it doesn't make sense for it to be on purpose) they fessed up without trying to cover it up (unlike many other large companies routinely do). ...

SanctimoniousApe wrote:

... You're only kidding yourself if you think any LARGE corporation is truly worried about being ethical - at best it's a balance between PR image and mone ...

I even went so far as to make it red for you - you do see 'teh funny', right?

Right???

In case you haven't (which I sort of suspect): You yourself say no large corporation is worried about ethics, but five seconds earlier and a paragraph above you give precisely such a corporation the benefit of the doubt even though no one outside of Google has ever seen this data and/or knows what they have(n't) done with it.

Why would you do that - because the other companies are worse (or so you think)?

In case you haven't (which I sort of suspect): You yourself say no large corporation is worried about ethics, but five seconds earlier and a paragraph above you give precisely such a corporation the benefit of the doubt even though no one outside of Google has ever seen this data and/or knows what they have(n't) done with it.

Why would you do that - because the other companies are worse (or so you think)?

You need to buy bridges. Lots of them.

There is a very good reason to give them the benefit of the doubt. The information is basically useless, there is no reason that a company would intentionally collect useless data. The possibility of it being collected because they started with some OSS project intended for other purposes and either missed an option or missed a block of code they weren't aware of is much higher and makes quite a bit more sense.

If it were MS or even ATT I'd still give them the same benefit of the doubt in this case.

Ah, but their corporate mantra is "Don't be evil". Important distinction. They're allowing themselves the possibility to do evil, so long as they're not "being" evil. Vague and maybe even amoral phrase when used to evaluate what they allow themselves to "do". (E.g., "Collecting all that data might have seemed evil but we didn't intend it in an evil way.")

... There is a very good reason to give them the benefit of the doubt. The information is basically useless, ...

I agree 100% that the data is most likely nothing but garbage.

But why the hell anyone would give any company the benefit of the doubt is beyond me. Would the Google disciples here have reacted the same way if we were talking about MSFT, Facebook or Yahoo? There's exactly two groups of folks towards whom you display such generosity - your friends and your family. Anything beyond that is precisely as stupid as it is to leave your network unsecured.

And, to repeat it for the n-th time, none of these aspects of morality & ethics matter. What matters is the legality of Google's actions and whether or not they broke local law.

You yourself say no large corporation is worried about ethics, but five seconds earlier and a paragraph above you give precisely such a corporation the benefit of the doubt even though no one outside of Google has ever seen this data and/or knows what they have(n't) done with it.

Why would you do that - because the other companies are worse (or so you think)?

You know you are losing an argument when you are reduced to semantics to fight your side.

Yes, Google is a big company trying to stay on top and they have made plenty of mistakes. I've already acknowledged this and find it no different from any other company, with the exception that they tend to be far more readily forthcoming about said mistakes than most. I certainly don't believe they are providing services out of the kindness of their hearts - they're in it for the money just like any other multi-national. The difference to me is that they seem to at least respect their customers (unlike, say, Facebook) and tend to do a fairly decent job trying to walk the fine line between that and the need to make money.

It's unfortunate that they've shot themselves in the foot so much lately because I don't see any alternatives that have more respect for their users than they generally do. Could they have more? Sure, but in this cutthroat, competitive business world if they didn't do it someone else with less respect for the user would. In fact there probably already are others doing it, and they're being far less open about it - that's what should concern you more.

This is such a non-issue its not even funny. I knew when they said they'd accidentally grabbed more then the SSID's and MAC addresses they were probably just using your standard wireless sniffing tools which are usually set to record more then that by default. Even so, who cares? Its wifi, its like having a conversation in a restaurant, just because you don't normally expect people to be listening in its really not all that different then if they drove around with a microphone and recorded bits of conversations being had on the street. I used to war drive, and I collected that stuff just for fun, you send your data in the clear, expect someone might listen in. Anything sensitive was SSL encrypted anyway so who cares.

... There is a very good reason to give them the benefit of the doubt. The information is basically useless, ...

I agree 100% that the data is most likely nothing but garbage.

But why the hell anyone would give any company the benefit of the doubt is beyond me. Would the Google disciples here have reacted the same way if we were talking about MSFT, Facebook or Yahoo? There's exactly two groups of folks towards whom you display such generosity - your friends and your family. Anything beyond that is precisely as stupid as it is to leave your network unsecured.

And, to repeat it for the n-th time, none of these aspects of morality & ethics matter. What matters is the legality of Google's actions and whether or not they broke local law.

At the risk of relying upon semantics myself, the entire reason to give Google the benefit of the doubt is due to the uselessness of the data, something you have (finally) acknowledged. I'll admit to having a strong distaste for MSFT's past tactics, but I would still give them the benefit of the doubt for exactly the same reason (although, I admit I probably wouldn't defend them so vigorously).

And the reason intent matters is because it will likely have a strong impact on the penalty Google will eventually face. It seems more likely that clueless politicians are just seeing an easy target to score political points by riling up the equally clueless masses.

That's it from me on this. I've made my point and I've got work to do. TTFN.

You know you are losing an argument when you are reduced to semantics to fight your side it when you leave logic behind and resort to meaningless platitudes.

T, FTFY.

SanctimoniousApe wrote:

... The difference to me is that they seem to at least respect their customers (unlike, say, Facebook) and tend to do a fairly decent job trying to walk the fine line between that and the need to make money. ...

SanctimoniousApe wrote:

... It's unfortunate that they've shot themselves in the foot so much lately ...

You seem to be arguing with yourself – I suggest you finish that ongoing internal discussion first.

SanctimoniousApe wrote:

At the risk of relying upon semantics myself, the entire reason to give Google the benefit of the doubt is due to the uselessness of the data, something you have (finally) acknowledged. ...

It's not semantics when you shove your own words down someone else's throat, even though they never uttered (or typed, for that matter) them.

As I'm sure you figured out, all that stuff comes from your Gmail address book. If you have not given them your Gmail password, they should not be able to access your information. However, if you did some kind of OAuth (i.e. skoost.com redirected you to gmail, and you said "yes, please allow skoost.com access to my info), it might not require your Gmail password. Once you have done either of the OAuth or give them your password, it's a simple API call to pull your contact list out of Google. Many services already do this, including Facebook, LinkedIn and others.

In any case, it seems difficult for skoost.com to be able to access your address book without your Gmail/googletalk password. Perhaps somewhere along the way you gave it to them? If not, I smell a privacy breach!

Having looked at the aforementioned site, I have to agree. It explicitly asks for the password to your email account on the second page of signup.

*sigh Ammended my comment and wound up seeing this, so at the risk of feeding the trolls...

effgee wrote:

SanctimoniousApe wrote:

At the risk of relying upon semantics myself, the entire reason to give Google the benefit of the doubt is due to the uselessness of the data, something you have (finally) acknowledged. ...

It's not semantics when you shove your own words down someone else's throat, even though they never uttered (or typed, for that matter) them.

Ahem...

effgee wrote:

I agree 100% that the data is most likely nothing but garbage.

But why the hell anyone would give any company the benefit of the doubt is beyond me.

Um, yeah - ya did type it.

effgee wrote:

That's called lying. Go and take yer spin-class somewhere else.

Re-read my post, comprehend it, then reply.

I see you subscribe to the Fox News approach to "Fair and Balanced." *snicker* Notice how previously I have quoted entire passages of yours for context while you take sound-bite sized snippets out of context and - as you say - spin them for your own so-called points. That's lying.

Okay, I've truly had enough of you. I may respond later to someone who isn't a fan of Glenn Beck, et. al.